Keep Pace in Europe with the EU-US Data Privacy Framework Certification

Earlier this summer, the Biden Administration and the European Commission formalized the EU-US Privacy Framework (“DPF”). This is a very big deal and a long-awaited remedy for U.S. companies to competitively offer technology products and services to EU markets.

You may recall the former Privacy Shield program in place from 2016 to 2021. U.S. companies certified under Privacy Shield could lawfully engage in transatlantic exchanges of personal data for commercial purposes, which allowed those companies to market in the EU.

When the GDPR took effect in 2018, global views of consumer privacy changed forever, and in 2021, the Court of Justice of the European Union found that the U.S. Privacy Shield program was no longer adequate under modern EU privacy and security standards. Since 2021, U.S. companies could only do business involving EU consumers through complex and often ill-fitting Standard Contractual Clauses (SCCs) attached to every contract for a technology product or service. The result was increased costs and legal risk factors for the U.S. company, and a reduced competitive edge in the international market.

The DPF allows U.S. companies to once again participate in cross-border data transfers of EU personal data in compliance with modern U.S. and EU privacy and security standards.

What does the DPF mean for U.S. businesses?

The EU-US Data Privacy Framework offers a long-awaited remedy for U.S. companies to market products and services within EU markets. The SCCs are merely a private contract between companies, subject to court interpretation or regulatory invalidation. In contrast, DPF-certified companies can engage in EU personal data transfer and processing under the structure of an international treaty. U.S. companies that become certified under the DPF can ditch the SCCs for a more streamlined and effective solution.

Which businesses should DPF certify?

DPF certification is recommended for all U.S. companies that transfer or process EU personal data for any purpose. For example, a company that serves consumers in the EU or a company acts as a vendor to a B2B company with customers in the EU. DPF certification is also a key step in preparations to expand into the EU. Any business that intends to have international reach will benefit from certifying under the DPF.

What are the steps to certify?

The certification process starts by reviewing existing transfer mechanisms with privacy counsel to identify necessary updates and finishes with submitting a written assessment and application to the U.S. Data Privacy Framework Program for consideration.

Businesses that wish to certify under DPF must complete an internal assessment of their privacy and security practices under seven Framework Principles:

  1. Notice
  2. Choice
  3. Accountability for Onward Transfer
  4. Security
  5. Data Integrity and Purpose Limitation
  6. Access
  7. Recourse, Enforcement, and Liability

Once approved for certification, the business may begin relying immediately on the DPF adequacy decision to receive personal data transfers from the EU and European Economic Area. Certified businesses must sustain the applicable standards and re-certify annually to maintain certification.

What is the benefit of DPF certification?

The Data Privacy Framework treaty has fundamentally changed the standard for U.S. businesses providing products or services to EU consumers. The certification is set to become the internationally recognized indicator that a U.S. business is up to the task of providing technology products and services to EU markets.

The most obvious and immediate benefit of DPF certification will be streamlined contract negotiations and customer onboarding. DPF-certified companies are recognized as lawfully transferring EU personal data and are therefore not required to negotiate SCCs into contracts. This offers certified businesses an edge over competitors and allows for more efficient contract negotiations with domestic and international B2B customers and vendors.

For the same reasons, it is foreseeable that companies interested in U.S. business connections will soon specifically seek out U.S. business connections with DPF certification or refuse to execute contracts containing SCCs now that DPF certification is available.

Businesses that begin the certification process early can realize these benefits and leverage the certification to enhance the business’s reputation as a modern, privacy-forward technology provider.

Tech and tech-enabled companies should consider the Data Privacy Framework as a foundational item to their privacy and data security program. Immix privacy counsel is available to support businesses through the certification process. Please contact Emily.Maass@immixlaw.com if you have any questions or if you would like your company to become certified.